Skip to main content
BusinessPrivate
LoginRegister now

Answers for private customers

We have revised the Knowledge base for you. Some articles are currently still being updated.

YubiKey - Webmail with one-time passwords

Obtaining YubiKeys

Until April 2022, it was possible to obtain a YubiKey through mailbox. For organizational reasons, we no longer offer this option.

Secure login with one-time passwords (OTP)

mailbox offers the option to log in securely using a one-time password (OTP). This involves a small device called a YubiKey, which resembles a USB stick. It generates any number of passwords, each of which can only be used once.

This way, access to your mailbox is possible even from untrusted devices – for example, in an internet café, in hotel Wi-Fi while traveling, or as an external employee at a customer site. Even if the password used were intercepted, it would not matter: logging in again with the same password is not possible.

Technical implementation with the YubiKey

For the technical implementation, we use the YubiKey as a one-time password generator (token). This compact device, which can be conveniently carried on a keychain or even as an accessory, is simply used via USB.

As soon as the YubiKey is connected to a USB port, it behaves like a keyboard: at the push of a button, it enters a long, complex, and single-use password into the active input field.

Thanks to this simple principle, the YubiKey is compatible with all common operating systems – whether Linux, macOS, or Windows. The only requirement is a USB port.

For smartphones, special YubiKey models with NFC (near field communication) are available, which enable wireless authentication.

Note: When using one-time passwords, the password you use to log in is variable. However, Open-Xchange uses exactly this password to securely encrypt the passwords of external accounts. For this reason – due to technical limitations – it is unfortunately not possible to use YubiKeys with integrated external accounts.

Additional protection with a PIN

Logging in to mailbox with the YubiKey alone is not possible. In addition to the generated one-time password, you must also enter a four-digit PIN of your choice.

This combination of PIN and one-time password provides true two-factor authentication at mailbox. From a technical perspective, it is the combination of knowledge (PIN) and possession (token). Your regular password is not used when logging in with one-time passwords – and is therefore especially well protected.

For logging in with one-time passwords, you need

  • Your username (your primary mail address)
  • Your four-digit PIN
  • The one-time password generated by the YubiKey

By the way: if you lose your YubiKey, access to your mailbox account would still not be possible without your PIN and your username. Of course, we can block access via one-time passwords in the event of loss – until a new YubiKey is set up.

Always one-time passwords? Or only in the webmailer?

One-time passwords are particularly suitable for logging in to the webmailer, as they allow you to access your data securely at any time and from anywhere.

On permanently set up devices – such as your private computer at home – it may be more practical to continue using the classic login with your known password. Many users store this securely and permanently encrypted in a password manager.

For accessing mail on older mobile phones without USB or NFC functionality, the traditional password may also still be preferable.

For this reason, mailbox offers flexible settings that allow you to decide how you want to log in:

  • By default, login with the classic password is possible.
  • Alternatively, you can protect the webmailer with OTP.
  • If you wish, you can also specify that login to the webmailer is only possible via OTP. In this case, the classic password will be disabled for all other services.

This way, you have full control over your security – tailored to your individual use.

Why are YubiKeys secure?

YubiKeys contain an individual, secret cryptographic key on which the respective one-time password is based. Our server stores the information about which key is registered to which account, and can therefore decrypt and verify the transmitted data.

At the same time, it is not possible to log in with just any YubiKey, since the individual YubiKey must be linked to the account with us and each YubiKey generates different one-time passwords.

Your account can therefore only be authenticated with the registered, individual YubiKey.

  • LinkedIn icon
  • Mastodon icon
  • Bluesky icon
  • RSS icon

Heinlein Gruppe